DNS merge / intercept queries from zone file and recursion server
I chose -Server-, if this is more appropriate in -Networking-, just let me know.
Anyway, I'm looking to do something that probably comes across as stupid to most people in a first-/gut-reaction sense. (Me too, truth be told.) And every page/forum/blog I've found on the net that even hints at relating to my question turns out to be unrelated after all. But I really need to figure out a way to do it -- if it is at all possible.
("Please," he clinches his hands together, shaking with the fervency of his prayer to the net gods, "please, let it be possible!")
Naturally... Viable workarounds are perfectly acceptable if they still achieve the goals below.
Basically, I need to be able to merge responses stored in a zone file with responses from an "upstream" authoritative server.
I'm in the sad position of needing to "intercept" requests to *part* of a domain (but not restricted to a sub-domain!) and return results for *some* hosts that use an internally routed address, and results for the rest using the public internet addresses.
Unfortunately, it's not my domain, so I can't just use views (although I suspect they could end up having some part to play in this, at least potentially)... but instead I have to actually send requests recursing to the other site's external DNS for any hosts my server doesn't have records for in the zone file.
Some background on the situation:
I work at a local government, which has a private link / VPN connection to a state government entity, and needs to use internal addresses for some of the state servers, which then get routed over an "internal" network link. But the state uses the same domain name internally and externally, just presenting views to internal clients vs. external clients. -- However, we are only being allowed access to certain of their servers through the internal link, which means that for any other servers that we don't have internal/private access for, we have to visit the public addresses just like anyone else on the internet... So, I can't just send all requests to their internal DNS and get responses, because we'd get IPs for some servers (e.g. their main web site) that we wouldn't then be able to reach using the internal network link.
Does any of this make sense? I feel like I'm not making it clear, or being too verbose to be clear maybe.
Perhaps an example will help.
Say I have a client machine, "client1", on my network ("my.net"), which uses "mydns1.my.net" for name resolution ... and which needs to access 2 servers on the state network, "private.st.us" and "public.st.us" -- so named based on how "my.net" needs to access them.
The external state DNS server/view ("ext-dns.st.us") responds to requests with something like:
private.st.us -- 18.104.22.1686
public.st.us -- 22.214.171.1247
(Those are just crap addresses, obviously. :)
The internal state DNS server/view ("int-dns.st.us") responds to requests with something like:
private.st.us -- 10.0.0.8
public.st.us -- 10.0.0.10
(These are no more real than the above public ones, but regardless...)
This works on their network because their own clients have access to all such IPs.
But for us, they only allow traffic flowing between "my.net" and their internal network to reach the 10.0.0.8 address, blocking all other address destinations.
So, when "client1.my.net" asks "mydns1.my.net" for the address of "public.st.us", I need "mydns1" to recurse out to "ext-dns.st.us" to get an answer (126.96.36.1997) and then return that IP to "client1" -- because "my.net" is blocked from accessing the server's 10.0.0.10 address.
But, when client1 asks mydns1 for "private.st.us" I need to pull the IP (10.0.0.8) from a local zone file instead of asking either of the state DNS servers -- or optionally forward the request to "int-dns.st.us" I suppose -- because the state blocks access to certain services (which we need and are the whole cause of this problem!) via the public (188.8.131.526) address.
I am way over my head with making this work. I could REALLY use some help if anyone has a clue how to proceed.
Thanks so much for any answers ... or even likely pointers. :)
Hmm... After reading back over my own post to see how it reads, I actually had a new thought. (!)
As I only have (currently) about a dozen addresses on the state's network that need to go through the private link, maybe it would be possible to use zones instead of simple records for those hosts.
I.e. Would it work to use a zone for each of the hosts, so that private.st.us was its own zone, and just put an "@ IN A" record in for the host and nothing else... or even an NS record maybe that points to int-dns.st.us??
Does that sound like it might work? I really *HATE* the idea of making up a zone file for a single host (or rather a dozen zones for a dozen singleton hosts)... but maybe with only a dozen or so, it would be manageable.
Of course, I'd MUCH RATHER have a set of options / settings I could apply to my server instead of such a hack. But... *shrug*
Please let me know if you know of a proper solution, or if you think the hack would work. (I won't be doing any work on the problem till Monday at this point, or I'd just take a crack at the hack in the meantime.) But I'd love to have some input from some experts to tell me if I'm on the right track for a hack, or if there is a real solution available to me. :)
|All times are GMT -5. The time now is 10:10 AM.|